What is an HTTP Host header
The HTTP host header is an request header that specifies the domain which a client wants to access. so here header is necessary because it is standard for servers to host website and applications at the same of IP address, When a server receives a request, it Checks the the host header parameter to determine which domain needs to process the request and then dispatches it.
What Is An HTTP Host Header Attack
when a web application cant validate the value in the host header then a attacker can easily try to manipulate the values and try to use this to inject harmful payloads into the web application this vulnerability could lead to many other vulnerabilities like
- SQL injections
- web cache poisoning
- SSRF
How to perform attack
Suppose there is an web application Intercept with Burpsuit and change the host If attack is possible there is Host header attack
Suppose If want to bypass this host header injection ?
GET /artists.php HTTP/1.1
Host: www.testphp.vulnweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
X-Forwarded-Host : www.testphp.vulnweb.com
Change host evil.com If it works then there is a vulnerability
GET /artists.php HTTP/1.1
Host: evil.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
X-Forwarded-Host : www.testphp.vulnweb.com
You can even try to manipulate by changing X-Forwarded-Host : to www.bing.com like this below there are some examples are there to understand more deeper
1 ) Host : bing.com
X-Forwarded-Host : www.bing.com
2 ) Host : www.bing.com
X-Forwarded-Host : evil.com
3 ) HOST : www.evil.com@www.bing.com
4 ) Refferer : https://www.bing.com/
5 ) Origin : https://www.bing.com/
6 ) You can change the Post method ..
TOP Host header Injection reports
https://hackerone.com/reports/698416
https://hackerone.com/reports/13286
https://hackerone.com/reports/158019